The Securities and Exchange Commission (SEC) is coming under fire in Washington after revealing a data breach that may have allowed hackers to profit from stolen insider information.
Jay Clayton, the SEC’s new chairman, revealed late Wednesday that hackers breached its EDGAR corporate filing system last year by exploiting a software vulnerability. The incident was detected in 2016 but only recently found to have potentially provided a basis for illicit trading gains.
The breach, revealed less than two weeks after the massive breach of credit reporting firm Equifax, generated immediate scrutiny on Capitol Hill. Lawmakers warned of growing cyber threats to the financial industry, long a top target of hackers.
“The risks from cyber breaches continue to threaten consumers and our financial markets,” Sen. Sherrod Brown (D-Ohio) told The Hill on Friday. “We expect corporations that hold sensitive data to disclose information about breaches as soon as possible, and the SEC is no different.”
The SEC intrusion has created an early test for Clayton, who was confirmed to his post in May.
Clayton will testify Tuesday before the Senate Banking Committee, on which Brown serves as the top Democrat, giving lawmakers a prime opportunity to question him about the beach.
Sen. Mark Warner (D-Va.), who sits on the committee, said that the SEC’s revelation “shows that government and businesses need to step up their efforts to protect our most sensitive personal and commercial information.”
Clayton issued a lengthy statement late Wednesday revealing that hackers gained access to nonpublic information held in EDGAR through the vulnerability, which the agency said it patched “promptly” after its discovery last year. This past August, the SEC learned that the information “may have provided the basis for illicit gain through trading” — triggering the public disclosure this month.
While the investigation into the hack is ongoing, Clayton said that the agency has reason to believe “the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
Many questions remain, including who was behind the breach, what data was stolen, when exactly hackers gained access to the filing system, and how long they had access.
Doug Henkin, a lawyer at firm Baker Botts with expertise in cybersecurity, said that hackers were clearly after specific information on publicly traded companies traded by targeting EDGAR. But he questioned whether hackers may have been able gain access to other systems managed by the SEC, which could signal a more extensive breach.
“The real question is whether this breach could have been used to get into other systems,” Henkin said. “What the statement doesn’t discuss is whether the EDGAR system could be used as an entry point into other systems that the SEC maintains.”
When contacted, a spokesman for the SEC provided no additional information.
Some in Washington are troubled that they are only now learning of the incident. Rep. Jim Langevin (D-R.I.) told The Hill that he was “very disappointed” to only have learned of the breach on Wednesday.
“The scope of a cybersecurity incident is not always readily apparent, and transparency can help affected entities take measures to protect themselves and lead to improvements in risk management processes,” Langevin said.
“Government needs to lead by example in this space, and I will be interested to learn how the SEC notified other governmental entities of the breach.”
Rep. Bill Huizenga (R-Mich.), who chairs a House subcommittee with oversight of the SEC, told Reuters that Clayton alerted lawmakers to the hack with a “courtesy call” before announcing it late Wednesday.
“It’s hugely problematic and we’ve got to be serious about how we protect that information as a regulator,” the lawmaker said.
Clayton signaled as recently as this month that he would like to have a more robust dialogue around cybersecurity and disclosure procedures for publicly listed companies, describing cyber risks as “systemic.”
“The SEC is in an interesting situation here because, on the one hand, they obviously are dealing with their own security issues. On the other hand, they are responsible to enforce disclosure of incidents to the market to investors,” said Jake Olcott, a former legal adviser to the Senate Commerce Committee who now works for security ratings firm BitSight.
Warner signaled Thursday that he plans to question Clayton on the SEC’s thresholds for requiring that companies disclose breaches.
The SEC is likely to receive continued scrutiny for the security of its systems, despite Clayton’s efforts to address his cybersecurity efforts in the statement announcing the breach.
Reuters reported Thursday that the Department of Homeland Security (DHS) had found several “critical” cybersecurity weaknesses on SEC computer systems as recently as January, likely months after the SEC said the EDGAR vulnerability had been patched.
Broadly, the Trump administration has put a priority on safeguarding federal networks from intrusions. The president signed an executive order in May that triggered agency reviews of their cybersecurity posture.
The order also made clear that agency heads would be held accountable for information security.
“I actually think it speaks a lot to this newfound importance that the administration is placing on senior level accountability and responsibility,” Olcott said of the SEC’s disclosure. “I think that’s something the Chairman Jay Clayton seems to have taken to heart.”